w 

UNITED STATES PATENT APPLICATION 
of 

Richard Schroeppel 
for 

Automatically Solving Equations in Finite Fields 



Background 

1. Related Applications 

This appHcation f^^f^^l^SS^ 1 ^ 

AMBIGUITY RESOLUTION , is a ^J^J^^Vued March 3, 2000 

Pa r\!??ed C SRS T OGRSHIC "li£l£c ^ APPARATUS AND 
and entitled c « Y ? TOG fr* a ^_*77 t of u#s . Provisional 
METHOD, also claims toe k®?®* 1 * °%V* J, April 13, 2000 and 

and is a continuation-in-part of U.S. patent JMf 

RESOLUTION. The foregoing applications are nerecy 
incorporated by reference. 

2. The Field of the Invention 

This "ion relates ^^St^fST-™^* the 

amputations hy colters. 

3. The Background Art 

The science of cryptography has existed since »-ient times, 
in recent years, cryptography ha s been used P such as 
purpose software P^f^* '^^^Less? inhibiting 
^l^l^X r '^Zk^^so^s, lifting 
unauthorized use, and the like. 

Cryptographic Processes 

Modern Cryptography protects ^transmitted over^networK 
or stored in computer systems. Two P rin " p nrevent the 
cryptography include (1) se crjcy, e.g., prevent the 
unauthorized disclosure of data, and (^int,^ ^ on 
authenticity), e.g., to prevent ui d i scm ising plaintext 
of data. Encryption is the pr £ es con £ e *JJf ^thl encrypted 
data in such a way as to hide its ^tent , fcu 

SSStSt^S StSlSSSSSt issued decryption, 
cryptographic algorithms secret. 



page 1 



«. Qtvral tvpes of key-based crypt^^aphic 

There are two ^Bheral types « * symmetric 
algorithms: syinmetrxc and public key^ ^ ^ from tne 
algorithms, the encryption key can be cai are ^ 

decryption key and vice versa. W£ai y, Qn ^ (a 
same. As such J sender and a receiver^ conmunicati 
shared secret) before ^ey can P r algor ithms rests in 

s^trsrssus; srsF-tL-s ~ *> data 



or messages with it* 



in public-key algorithms (alsc : J^iS y 3rg^^•^ 1 C r iS2•i , 

the keys used for encryption and Jjjcrypw infe asible to 
way that at least one key is c^^^re* o£ da ta or 

holder of the private decryption key. 

. . 0 * data or communications, 

Conversely, to ensure integrity J*J™ lvate and a holder of 
only the encryption key ^ed fa e kept pri u d that any 
a publicly-exposed decryption key can be M££ usi this 
ciphertext that decrypts into meaningful pia 
key CO uld only have ^^Sf^iX^t^^ or 
coSup?™ ?hTcipheSext after its encryption. 

A private key and a public key ^^f^^LZr of one 
functionally reciprocal f the other key of the 

2J pair can 5£ . ^J^^^^^ ~> 

SXmunicated without an exchange of keys. 

an asymmetric algorithm 

« a fthe 5^ JHhssiS 

If ?f run W ^ tM^^SffrSSti 

cryptographic ^^^f^t^a^c^asS algorithms are 
knowS?1ucfa; thf Secur^ Algorithm (SHA) and Message 



Digest 5 (MD5) 



A certificate is a data structure ^-ociated w lt h assurance^ 
of integrity and/or privacy of 2°f5Slie Si of that 
binds the identity of a ho Ider to a P**g Lthority (CA) . 
holder, and may be signed by a c Jg" x hierarc hy of 

subordinate levels. 



page 2 



a , 6 §| contain data regarding the i^fcity of the 

A certificate »J contain u y (typically a public 

certificate enables a holder of the , holder/ 

whom the certificate is asserted " £^£2^ to ver ify 

tnarnoSlnglrSrc^^ 

55£f Is accomplished using the certificate 

public key in the certificate. 

Various cryptographic techniques rely on e jUgio^ttr^ 
Code and documentation for the use of , ell i£" S* 7 * 8 
cryptography are available For example ^tgd^d Gaiois 

the art. 

SSuStSS associated with creating, weaving, and 
processing of cryptographic keys. 

^u^p *. ev crvDtography makes extensive use of modular 

a°staple' operation^ Sitter, 
Computing A B (mod C) is a srapxe o P e t poW er B) . 

the caret A means exponentiation (i.e., A *°_ Tin %*7!7 K ' 

feS-cSS* groupie u 'o fc^e 

SjSSStiation A"B is replaced by adding B copies of the 

point A. 



page 3 



BRIEF SUMMARY ft OBJECTS OF THE INVENTION 

in view of the foregoing, it is a primary object of the 
Present invention to provide an apparatus and method 
compSsinS an elliptic curve, point modification system. 

rrm^istent with the foregoing object, and in accordance with 
STSSStiS as embodied and broadly described herein an 
aSoaratus and method are disclosed in certain embodiments of 
STSeSInt invention as including a method and apparatus for 
Serving a cryptographic engine supporting a key generation 
Zlllll The key generation module creates key pairs for 
encryltiorjf subSantive content to be shared between two 
users over a secured or unsecured communication link. 

in certain embodiments an apparatus and method in ac c^dance 
with the present invention may include an apparatus and 
method useful for communications, for example over an 

authenticated public keys over the Internet and for 
encryption generally. 

it is another object of the present invention to provide an 
^nnaratSs and method for efficient and rapid authentication 

ll lltd as part of an electronic cash system. 

Most uublic key cryptography operations such as key exchange, 
XStff iignalures^enlry^tion, and ^tity authentication, 
ran be inrolemented very efficiently using elliptic curve 
Sittoeti? ft is an object of this invention -to make 
e"ip?ic curve arithmetic faster, and thereby improve the 
public key operations. It is yet another object of the 
invention to be useful for faster elliptic-curve key 

t ™ for- faster elliptic-curve ElGamal encryption, for 
Ia™i li^il-c^i^tal signatures and tor faster HQV 
authentication (see IEEE draft standard P1363) . It is also 
S obiect of the invention to be generally useful wherever 
compSaSons Sth elliptic curves are used, ^he improvement 
works with any field-element representation, including 
polynomial Lsis representation, normal basis representation, 
and field-tower representation. 

Th« invention is described as a set of formulas which are 
SlemlnSed L a computer program. The same computations can 
also be carried out very efficiently in purpose-built 
hardware devices, or in semi-custom logic, for example, 
smar^cards or FPGA circuits, or as firmware controlling 
hardware, or as a combination of these elements. 



page 4 



A principax Mre ^^%^JS^McSS^>^ 

accordance with the inv ®^ 1 °".^ "f an elliptic curve 

and negative point modification. 

in one aspect of the i-^J^^JS^ l^To^Vt 
selected from integral ^^ 9 ; nd po in? multiplying 

denominator that is an «^* a * " iDlica tion, imaginary 

modification operation in advance. 

In another aspect of ^^gS^ SStftKISS "* 
Sit^as* o£ coordinates corresponding to points in a 



subgroup . 



times selected by a user. ine ^ number of points is 

include determining which of * J^g!^^ processes may 
to be used. The foregoing point ^f^ff -ejected by either 
be repeated with a second point, which is selected cy 
a deXSinistic process or a random process. 

in yet another aspect of the invention jubstantive content 
maybe sent by a send ? r e a J? on e ° roc S s b Lr S£££Un that is 

u!Ss for decryption. The key may be a *^tr^c key 
configured to be shared by two or d ^jKure, 

SWereiupSran a^orSc'curTcr In aLxian 

variety. 

in a further aspect of the invention thj«difi«tlo^ 
process may be the giving of » J^^JJ£ \ r the point 
halved may be represented "i* C SSS^Sv2g a cartesian 
may exist in a ^^^^%^^^c1v6b only a 
35Sr£SSica^ii?2lv?»g operation or multiple 

page 5 



. , •„*.»- The selected point may be by^fccartesian 

coSSing a'f^cJionaf multiple of a point represented as a 
proper faction, an improper fraction, or a complex 
fractional multiple. 

Another feature provided by an apparatus and " e *^ d ion 
f~ with ?he invention includes a point modif xcatxon 

point modification. 

The keys generated by the key generation module may be 

SjAkJSK ss,r»... 

point modification. 
Algorithm. 

™* shftV p obiects may be met by one or more embodiments of an 

53? S ^-ssset^ is«-r 

S accSdanSe with the invention may provide the desirable 
features as described. 



page 6 



BRIEF DESCRIPT^S OF THE DRAWINGS 

The foregoing and other ^^/^S^^t^^ 
invention will become more fully conjunction with 

description and appended claims, taken in conj d rawings 
the accompanying drawings . m "jf 0 f^e invention and are, 

Figure 1 is a schematic block diagram of an W«»^ rdance 

communicating over a network or internetwork, 

user in accordance with the invention; 

Figure 3 is a schematic block diagram o^a key ^ration 

ss: rscss-ss'ss sfs^sGzr 

use of the keys for encryption, and decryption 
of a message; and 

SB5 ^rKs^s srssss-.- 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

It will be readily ^■^.^.^JSTSS^SuSrSll in 

present invention, as generally desc "^ <a j , a ^ d . J - V a riet y of 
lit Figures herein, could £ Si^S?^ "detailed 

different configurations. Thus, the f °J^ n | nd metnod of 
description of the § embodim ^sof the J^tem^ through 6/ 

the present invention as represen ted rn JJ enti(} as 

cJaimed^uft? 2 SV2^2Kt.*i" of certain presently 
preferred embodiments of the invention. 

The presently preferred embodiments 

best understood be reference to ^ drawing^ wn Refernce 
parts are designated by like nume ^J s f J£g represent 
numerals having trailing letter ■ "g^J^J^SJ of P a generic 

-us, a number 



page 



number 



W- tar exjfc »ay be f^^f^ii^t^Uon, 

reference numeral 156 • 

Referring to Figure 1. an appar atu . 10 Bay g^&SV, 
invention on one or -ore nodes < cl ^f c ^ nen ? s m ay 

The apparatus 10 may include an input device 22 ^receiving 
such as the network 30. 

internally, a bus ^^^^r^^f^ 1 

numerous configurations. Wire, f iber optic line, 
electromagnetic communications by visible light infrared, 

^"SJSn — ^ Sf^isea f or 
interaction with the user, as may a ^""^/g^ 

pointing device. ^.^ 9 ~^ 8 ^^J?5SliS^^ 

simply a telephone line 39, may be used r °J scanner 



network 50. 



output devices 24 may likewise . include one or more P^sical 
hardware units. For example, in general, the P«* 28 may De 
used to accept inputs and send outputs ^ t ^^^\ 
mo nitor 42 may provde ^puts to a user^for^.^ ^ 
process, or for as siting wo * h d dirve 46 may 

processor 12 and a user. A printer novices 24. 

be used for outputting information as output devices 24. 



page 8 



^ ^B^-tJrtT-v -*n to which a node 11 c^^ects may, in 
lUT^ lor^l^l foSer «S to another networ* SO. 
Tn nineral two nodes 11, 52 may be on a network 30, 
SjSffiS iJJSrS. 30, 50 or may be separated by multiple 
routers 48 and multiple networks 50 as individual nodes n, 
sTon an internetwork. The individual nodes 52 (e.g. 11, 52, 
54) may have various communication capabilities. 

nodes 11 52. 54 may be referred to, as may all toge^er, 

a" nole 11 or a node Y 5 2. Each may contain a processor 12 with 

more or less of the other components 14-44. 

A network 30 may include one or ™rf /^f- JSE" ^ 
be used to manage, store, communicate, transfer, access, 
update, and the like, any practical number of 
databases, or the like, for other nodes 52 on a network 30. 
Typically a server 54 may be accessed by all nodes 11, 52 on 
Network 30. Nevertheless, ^her special functions 
including communications, applications, directory services, 
and She liSTmay be implemented by an individual server 54 or 
Stiple servers 54. A node 11 may be a server 54. 

m aeneral, a node 11 may need to communicate over a network 
To llll a server 54, a router 48, or nodes 52 or server 54. 

JnJrlv a node 11 may need to communicate over another 
ne?woX (50? in an internetwork connection with some remote 
HSU 5 Likewise, individual components 12-46 may need to 
SSu^t^dS "it^on. another/ l—^'^^S 
exist, in general, between any pair of devices. The P^cess 
!nd method of the invention may be performed on the hardware 
structure illustrated in Figure 1. 

Referring to Figure 2, a memory device 20 in an apparatus 10, 
anImore g pa?ticularly in an individual computer 11, may 
include a cryptographic engine 58 for creating, manipulating, 
Accessing, Sing, and otherwise operating « «Wtog^c 
kevs Cryptographic keys are known m the art. A key 
glneration^module 60 may be responsible for ^eating keys o£ 
2u ' t mav be used to encrypt substantive content 62 for one or 
1 mul?itude of purposes .As discussed above, the substantive 
con?enf efmay be Led for various funct i^j^' us ^ Uding 
transmission of the substantive content 62 between users. 

in general, a key generation module 60 may support loca 1 and 
remote repositories 64 of key pairs 66. A key pair 66 may 
involve a public key 68a and a private key 68b. In 
alternative embodiments, a particular key pair 66a *W 
inctuSe symmetric keys 68a, 68b. However, in current strong 
crviDtoqraphy, the individual keys 68a, 68b are a 
publiS/pSvate pair used as described above for preparing and 
processing information to be sent and received. 

page 9 



£ r-SSiSStKS^'S securely 

SSHuJhen^e^iC^c.. substantive content 62 that 

is being exchanged. 

i7{ mi rD ^ i-he kev aeneration module 60 may 
^TSiL SiSSSS curv£ module 74 in accordance with the 
include an e ^ 1 P^ c D ^Stly preferred embodiment, a point 

provided by the key generation module 60. The P^x. 
Sification module 70 may employ one or more of point 

E ^include' an executable, of «»»i e «™iiS t ^5 having a 
considerable sophistication in order to create J 3 ™^ 

££££ 7" bivalent. processing 72 executed upon 
receipt of encrypted information. 

Kev nairs 66, such as the public/private pairs 66a, 66b or 

HcEls ^ US opS-e on 

^ioLral secret SO. An ephemeral secret 80 may be 

communication link J"""\a session p slmllar i y , 
rorTsing" £jffita?3^~"7 content 62 an 

some combination of numbers associated by a user witn a 
single message. 

Sr^soSe ^^Sn^^s-srsr^i* 

??LSV=^ the input/output systems 90 may provide the 
wrapping Se-processL?, postprocessing , maintenance, 
verSrKItion, and the like associated with creating, 
distributing, using, and management of the keys 68. 

p^ferrina to Figure 4, a method 91 for using the apparatus 

Sets rSssxzs? tts^£»&£ 

page 10 



snaring 94 ^l^t^f ^l^l Scref^ computed 
distribution, ? r . th « 11 S to b e reliable over an 
secret 96 ^^^l^J^^^^jS^raaB communications 
extensive period of time jn^lving^ creat ing 98 a . 

between users. In order to ^^^dividual transactions, in 
message counter ^occurd^ ox transactions, or. for some 
preparation for a short se iv-1 short , spanning a 

SSS^^^-S^' or the like. 

in general, creating the message ^^i^^tSTiiSSd 

creating 100 an ephemeral secret su mes sage, or a 

secret 102 may have a ^J^J" ^^e? Thus, the shared 
single computer session, or the liKe & compara t 1V ely 

secret 102 may be an ephemeral secre by a comparatively 
short length or suitable f °* J^f^^n ephemeral secret 

if ^ras^lr^wM^sSc, creating 100 is 
done . 

Executing 104 a function may be done J^nown in the ar 
or as described ^ the art Hash ing ^ ^ ge 
verification to both ^chines ana u unin tentional (e.g., 
modification, whether in ^ n ^°^ u ?er glitch) , has occurred, 
modification simply due o °^° m 0 f | ne g WO ven key 69 and the 
2£S numbe S r°S6 S ?o creaK^'ephemeral symmetric key. 

Thereafter, encrypting 106 -g^S^^^lS 109 
followed by a transmission 108 ^Substantive content 62 
of the substantive co f ™? 0 g ra phic system. Note 

may have been prepared with % °rYj£og p be a signature on 

Thus, cryptographic key ^^ 0 ^S*L2ie°Li B S more 

properly, key ™ an ^I !ne or more keys «y be incoming, 
keys. Moreover, those one or more Key j fce uged Qn 
outgoing, or the like Also those key^ ^ ^ outgoingf 
substantive content 62, that is 
incoming, or both. 

Becrypting 110 returns substantive oc^ **^^ ^ 
Meriting 11° nay be *°?V°??„^n encrypting process 106. 
comity, or less «^£S^T^SM t ^^ 
JKSSSTuO "rl substantiaUy mirror images of one 

another . 

page 11 



?nve^^ 

location a different user whS will eventually correspond to 
In initial user, may also generate 116 a public key from a 
o?ivaie key ?£yiSg on point modification 118, which may be a 
lolll Living lis. At this stage, the generation processes 
112, 116 are performed apart. 

Distributing 120 a public key 68a may require authorization 
oi other exercise 122 of a key authority. In other words, 

represents the authorization owned by an en ^g;. bution 124 
Accordingly, in a corresponding process, a ^ strl ^ tl ° n i ±ti 
of a key" that will end up being distributed to a first user 
from a second user may be completed. 

Thus a user "A" may distribute a public key »A» to a user 

limilarly, a Sser «B« may distibute a public key B to 
a remote user "A" . A user may receive 126 a public Key rroiu 
ano?Ser usS. Accordingly, a corresponding partner in 
communication may receive 28a a first user's public key. 

in certain embodiments, weaving one's own private key with a 
received Sublic key may rely on an elliptic curve method 132. 
TS elliptic curve method 132 results in a woven key 69. 
Similar^? weaving 134 results in the same woven key for a 
remote user, creating 136, 138 a counter enab 1^ an 
encryption 106, 140 of substantive content 62 being shared 
between a user "A" and a user "B". 

Exactly who performs the encrypting 106, 140 depends upon the 
^rL-fionalitv of a message, authentication, or other 
JSSSSvi 2n2n? 62. Appropriately, a transmission 108 
and reception 109, or a send 108 and a receive 109 will 
XprXSnt a particular user. Similarly an exchange 142 
*which Say bl a send 108 or a receive 109) represents 
activities at a remote user. 

x^n^inaiv deervetina 110, 144 provides the substantive 
cSn?eni 62 Y in JhTciea?. Of course, the substantive content 
62 S simpS be knowledge provided by transmission of 
signatures, authentications, and the like. Each of the 
presses of generating 112 distributing 120 JJJj 
and the like may involve the processing of large nume "C a ^ 
Sys The use of a method and apparatus in accordance with 
invention may be more time-consuming ^^SScular 
depending on the frequency and complexity of any particular 
ke? manipulation. Similarly, encrypting 106, 140 and 
decrypting 110, 144 may use methods in accordance with the 
invention; depending on the need for security, the 
complexity, the frequency, and so forth. 



page 12 



145 may be 
A 



Referring to ^» 6. ^ 6 e f^^lf keyefo^ent 
siBplfied to receding 146 a P"^ 1 " ^irtheless, 

SSKk'S.'SSSS Pressing. 

Next, running 148 » -^g^^SiS £^5 » 

processed information Pf e P ar ^ n w "~ —nresent a successful 
SffiSi ofTe^uM e» e o r set o £ nations 
using the keys 68 or a key 68. 



Most public key cryptography operation^ 
digital signatures, encr y£t° n ' J™ JJiia elliptic curve 
can be ^"^^SSJ f "me^nod ?n Iccordlnce with the 
arithemtic. An ?PP»"S?i?cii!e arithmetic faster, and 
invention may ma ^/i ub ^ c C k ey^peraiions . Faster 
thereby improve the P^blic^ key oper tic _ curve ElGamal 

elliptic-curve key g «f -fJ p J|! cu ^fi^ital Signatures, and 
encryption, for rasrer . eJ TT^ r vvE draft standard 

for faster MQV "^^SS^S^ttJ^eSSS Serein may be 
■ffiSii ™r ^at«Uptic curves are used. 

Such a method ^ v ^^^J^cSSfflS i0n ' " 

Lplemented in a ^^ I 5^i B "S-^p5Srr«l ^ 

modification module 70 . In ^rtain p j configured 

embodiments, the point m ° d ^^Xd^fication algorithm, as 

SLSSile^y In* |S Sj^Si-. -h as, for 

example, smart-cards or FPGA circuits. 

Details of The Improvements 

Xhe present i^-^^^^SS^ StSSEMS 

two -P^^, 1 "^ 1 %ne improvements apply to both 

in public-key cryptography and other places. 
Division 

The (Exact, Oi^'HS^^.^S^n^ 

for computing digital signatures ana w j curve 

ligatures It ^-^^"lielde^in 1 ^ fields, 
cryptography, in chacteristic 2 tiei^ , ^ non-field 

SruSu^sulraf rings, "o^ionls used in B any other 
cryptographic procedures and methods. 



page 13 



i ,»=^H™ a t-ir»i svstems. such as modul^^arithmetic, 

^""S represented quotient o £ r e« r » 

divided by the denominator D, with ™. r S»£** r i_, r ™ 1 „. 5 

ST^-tS'So.thfi calculation is to us. ; -e-procal 

Sif r "ne' sSu?Ln° rcatleHnfreSpr^af of 8? and is 

•«.n^/D or D'-l. The equation with general K is 
solved by multiplying N times Se reciprocal | vin,£= 
H.(l/D). continuing the example, the reciprocal of D 3 
mod 7 arithmetic is 5, because 3*5-1, so 1/3 3 

quotient 5/3 is Q - 5.(1/3) - 5*5 = 4. 

Programming" r especially volume 2) , or the Ain 
Alqorithm (see Schroeppel et. al. , in pro ^ ea ;"^ Ka ii s vi 
or with Kaliski's "MontogBery Inverse" (see Kaliskx, 

^Montgomery Inverse and Its Ap plicat ^js IEEE 
Transactions on Computers, August 1995), or w -^" * " 
SK-fnverse and Montgomery-Inverse, as used in the 
computer program JAVA. 

«i D A a^^ 

M is odd) is 

initialize B=l, c=o, F=D, G=M, K=o. 

Loop: While F is even, { Do F=F/2, C=2C, K=K+1 >. 

If F=l, return B and K. ,,4+.*, r 

If F<G, exchange F with G and exchange B with C. 

If F=G (mod 4), { F=F-G, B=B-C } 

otherwise, { F=F+G, B=B+C } 
Goto Loop. 

further processed (mod M) . b is lexat-txy/ 
(mod M) to get the actual reciprocal 1/D. 

in each of these Reciprocal/Inverse ■J^ 1 **?"' a £? e J 

one.of the variables is returned as the^alue^the 
reciprocal: Vlhf^ostSnverse Algorithm and the Blend 

Algorithm, the variables are B and C. 

page 14 



tp 4.k~ m w*y-i^Ls are instead initialized to ^^imes the 
SiSSS valulsTanfcerJain a lg orithM • Mde ' 

f< B9 i value of the reciprocal algorithm will be the 
S£t££ nTd tSL savS the multiplication step after the 
XS£wal algorithm, when the quotient is needed. In the 
JSoStSve5a?algoritlim f initialize B to N and C to 0. 
^No?!ce that no actual multiplication by N is required!) 



Adjustments 

in the Almost-inverse algorithm, the var iablesB and C start 
small, and are never longer than M, the modulus or P, tne 
field polynomial. B and C fit in ^terssized for M. 
Moreover, there's a software optimization that takes 
advantage of the small size of B and C at the start of the 

, '!L * hA i r relatively slow increase, while the 

^l^ritS^arLb^s F anfc SeLease. This optimization uses 
rewer ^tJucSoirto manipulate B and C when they are small. 
It can also use some of the registers freed by ^shrinkage 
of F and G to accommodate the growth of B and C. The s ame 

Yn Kaliski's algorithm, and usually holds in the Blend 
SSSlS.faS optimisation is reduced or cancelled when 
the variable B starts out large, as for the Division 
algorithm. (The optimization is not usually important in 
hardware! Some provision must be made for the resulting 
laraer B and C values. The size increase is manifest when B 
o? C is shifted left, and can be apparent when they are added 
or sub?rac£ed I prefer option 2 below, but which is best 
will depend on details of the design or application that 
needs the quotient. 

Options for larger B and C: 

m Resize the registers holding B and C for larger values, 
iddina ilJgthW bits, or length (M) , is enough. A modular 
reduStioHSp is used at the end of the algorithm to bring 
the answer into range, typically o<=b<m. 

(2) Check for overflow of B or C during the course of the 
algoS?to. When this happens, reduce B and C o a small er 
value mod M by adding or subtracting a multiple of M, to make 
B (or C) small enough. "Small Enough" might mean B<M, or a 
less stringent condition when there's extra room in the 
rXLSr containing B. It's sometimes useful to have a 
muliipS of M handy for easier arithmetic. For example, m 
III GF[2-N] case, M might have lots of bits ON, but have a 
multiple 5? with only 1 few bits ON, and most modular 
reduction can use M'. 

Checking strategies: 

fa) After every shift, add, or subtract, 
b Keeo extra room in registers for B,C, and a counter 
repreI2ting «FrL Space in B register". Debit the counter 
ro? Sifts, adds, etc. When it reaches 0, reduce B and C, or 
just one that has an estimate of the smaller space value. 



page 15 



(3) Check for airflow. If it happens, switch W a backup 
method for computing the quotient. 

(4) Don't check for overflows. Verify that quotient is 
correct, and use a backup method when it isn't. 

Options 3 & 4 need enough room in the B & C registers to make 
use of the backup method rare. 

Except for option 2 (those versions that maintain B<M and 
C<M), a modular reduction step is needed at the end of the 
quotient algorithm to bring the quotient into normal range. 
This can be combined with the "finishing step" in the 
Almost-inverse algorithm, and Kaliski's, and the Blend 
algorithm. 



Solution of Quadratic Equations 

The solution of quadratic equations (QSolve) has important 
applications in elliptic-curve cryptography. Several 
fundamental computations include QSolve as an ingredient, and 
seeding up the computation for QSolve, and/or reducing the 

ofthS required circuit, or reducing the amount of table 
memory used, a?e important benefits of the invention The 
improvement is described for the Polynomial basis. It is 
also useful for field/ring representations that include a 
polynomial basis as a component, such as Field Towers, or 
mixed representations. 

See Mike Rosing' s book, Implementing Elliptic Curve 
Syptography, for background on finite fields and solving 
quadratic equations. 

in the next section, we'll be working with finite fields of 
characteristic 2. Usually there's a defining polynomial of 
degree D; 

Poly(u) = u*D + — +1 

The coefficients are all mod 2, single bit values, either 0 
or 1 Poly is usually irreducible (mod 2), although the 
algorithms given mostly work whether or not Poly is 
irreducible. If Poly is not irreducible, the resulting 
structure is a Ring instead of a Field. 

Sometimes we want Poly to be a trinomial, u*D + u~M + 1. 
M is the degree of the middle term. The quantity G = D-M 
is the GAP between D and M. 

Any field element is some polynomial of degree < D. 
A = sum a_k u*k with 0<=k<D, and a_k = 0 or 1. 



page 16 



SSo^l? for^erms w?th degree D or higher. 

^en working in software the usual custom is to storethe 

bits of A so that the higher powers of uar ^ 

"Left" or "High-Order" end of the °ompu ^ £ ^ ^ Qf 

lower powers of u are at the Right or «^ if 

the words. The a_0 coefficient (the consran^ ^ ^ Qf 

of the polynomial ) « ^Sl^vSSSf conven?ion here, while 
recognizing SS rSle^tation might choose to use a 
different arrangement of bits. 



Quadratic Equations 

iuSrSctlSi? aid is carried out by xorin, the bit 
r^Sen£?ions of the field elements. 

The ordinary T^TT^ 
2 fields, because it has a ^^ is ^°^ ic equa tion can be 

known change of ^J 1 ^^' SL^q^ions? either X-2 = A or 
converted to one of two spec "1 ejuar 10 n = > and is 

X-2 + X = A. The former is solved by a | k ^ fields, 
computable by ^^^^J^^^^^ and 

me^^^^^ 

also appears in point doubling. 

. . ■ j. v The inverse function, which 

Notation: Q(x) is x*2 + x. The J™J = A usua lly, and 

solves the quadratic, is QS( A) . Q(QMA)J 

QS(Q(x)) = x, usually. 

A is in some finite field and we would l^to be^n the 
field. However, Q is a 2->l *ap._ ™e g fchat 

both map to the j| a ^ e _^ues have two solutions , and the other 
half the possible A values have cw o whether A has a 

half have no solution. There is a test * or Trace - maS k. To 
solution. There s a bit-mask ™' Mentation of A is Anded 
test if QS(A) exists, the^it represent: nction ± 

with the Trace-mask. If the P*"J* f ± bits) then A is 
even (i.e., A & Tm has an ev en numb er ot ace . mask wnen 

solvable, otherwise not. A bit ™/^ dratic solution, 
the corresponding f^ld elem ent h as n o quaar 
Sometimes the trace-mask has only one or ± ld degree 

depending on the ana'the mSchLg bit is ON 

is odd, than A=l has "° solution, ™ a for t he 



page 17 



corresponding #a field element Beta - £ J. ifodd-de gree 

fields, we use Beta-l lf J * ot and vice versa, 

solvable (QS(A) exists) then A+Beta is ™^ + 

The sum of solvable ^^^Livable " unsolvab!e = solvable, 
unsolvable = solvable; unsol ^clarinq that the low-bit of 
we resolve some ambiguities by declaring ™^ x 
QS (which corresponds to f ield el «^ " J or circuit. 

OFF; and need not be repre sen J-n |ny a l9J£ A by 

Moreover, we extend QS to be definiea ror for tne 

^^^i^Si ^a-isVeguired or not. 

A curious property ^J^,^^^^^^ ^ 
This leads to a *very* curious I^SSrtaiiS consequence is 
fact, QS(A+B) = QS(A) + Q S(B). An import 

that QS(A) can be computed by *£™ then adding up 

somehow solving QS for the i" d iY ldu J n /^broach is to prepare 
the piece solutions to get QS(A) . one approach p_ . g 

a table of the ^Jjfjf *'me££od for 

the sum of some of the u k, givx»y 

QS(any element). 

How to prepare the QS table? 

If the field degree is odd then QS(A) = sum of A JK ^ 

accumulate alternate squares.] 
is still valid. 

snriisrs sum? ^«faa^ 

suppose the field degree is D. ^ItrL^^f^ 

bits OFF) . The left half ^"^"^S^'^i to make 
elementary ™» °P^f "J*, < "Sofas' close to an identity 
the ^ft half of the "^.J 0 ^ succeed, since the rows 

E2" quile^neaily !n£pend!nt, but there's only one 
aren & 4" llc ^ Th other rows contain u a or 

degenerate row of all Os. The L th £ ht half . 

T ;r?o„ a order h bi"" S^"£ "UedUth the Beta column 
from the left half of the matrix. 

The basic table of QS(u-K) needs D «ws of D bi tfc^^ 
^comStfolTin-a will have an average 

of d/2 component bits ON. 

page 18 



to the 



I present somi^rdware and "^'ffifi^nrtn of 

Llic algorithm some reduce the th table 

E^3LS°5iS.SS? t^. some do both, with 

smaller and faster computation. 

In the following, imagine that QSolve(,) ^n^o^ by 
a generic circuit or computer "^SSiTttat supplies A, and 
subroutine will have an input register ^ ^ PP QSolve(A) . 
an output register Z tha * ^eceivestne bits of A singly or 
The ci?cuit/subroutine will P^^afdepend on the data from 
in groups, and make changes t o Z t hat p v&rious data i s 
A. Z initially starts out as all °^ modifications 

xored into Z. Some of ^%**f_f tn t methods also have one 
to the input register A. Some of the metn ^ 

^J^iT-'S't.'S.'SS^^ a "nite fle^ we 

are working with.) 

One important variation .of "$^^1*^^ 
some of the bits of Z with a ^olve circui Q(Z) = A. If 
bits of Z are then recovered o ^ m s ^ e a ^ nown S , ( and the 
some of the bits of Z are Know 11 ' J zunknown, the 

others are "Zunknown", so that Z zkjo _ Q(Z known) . 

Q (Z) = A equation reduces ^ Q(»°™) even owers Q f 
Skin the RHS of ^^/^^Sg eSua??on A. Other times, 
u, u*2K, and it can J« s ^ e va ? ue n ? a n be combined or used 
some of the bits in the ^ value c an These bits 

individually to determine some tsor * Q(Z unknown) = 

?l l^ U »n i i^tg^s ^s f ill- in t - is 
rZn£~ ^Kn^^inffxpSneffurthir below. 

ior the straightforward computation of Z. 

The most important optimization is based on equation A: 
0 S,u- 2 K) =u-K + QS(u-K). [Equation A J : 

Tnis lets us eliminate even powers of u from our^S solution 
table, eliminating half the rows, in na ^ 
is easy to implement When a f ield el e *«f even numb ered bit 
the input register for the QS circuit, £ n t on a U ~ K 
Positions are quickly disposed of .Each u 2K t ^ 

delays. The odd-numbered bits are soivea w 



page 19 



^ ^ ^P? fimo i-able-lookup method above (only half as 
bit-or-byte-a^a-time tatoie looKup req ister is added 

many xors to do) and then the output fun* r g Software 
(xored) in to create the ^ ly n *^ in ° a U word a t a time, 
follows the same idea, generally wor* * Th even 

We work from the high-order end, <£*^£ 2, . ; ) 
numbered bits are maske separate the m t 

wnere^? Arfthf SL^t^?.™- degree terms 



where 
u*2K. 



There are siBple programing trie*., well Kn =™ l ° jJ Bsembly 
language probers. Sc^r^ThfsSeeSed'So?/!" 
instructions, giving abc.z. ine sq 

placed in the "Ugut-f ixup variable - at . tlme , 

quarter , etc . 

hot it is irreducible. 

polynomial. ) 

They are all based on Equation A and Equation B. 

u-(K+Q> = u A (K+M) + u-K [Equation B] 

One software trick, available for -y polynomial 

position needs a separate table ^ QJ£ f »; ^ cia i ly 
U ^ 2K+ iUe to SSfup wordfofda?; ror^he odd powers, and 

^ - 5JS2 D SfS i s; w h ord°s dd as a ^1^, ^ 

Mts in a 32-bit word would represent 

u uuuuu . • . u U u u 

Now we can pick up, say, 8 bits at a time and look up the 
solutions in an appropriate precomputed table. 

page 20 



If there's a ^ice of trinomials available fo ^^£ in "^ a 
finite field, it's best if the degree of the middle term, 

is not close to either end of the range [l,D-l], but is 
toward the middle, around D/2. Some of the tricks discussed 
below work better for such M values. 

We let G = D-M, the GAP between the high and middle terms of 
the trinomial. 

We need to branch, discussing 3 cases, based on the parity of 
the polynomial parameters D and M. 

(Case 1) 

When both D and M are odd, we can use Equation C to reduce 
the number of "hard bits" for QS, those bits needing a 
lookup table. 

QS( u-K, = »-K s ; u r ( <*_- G ^i ♦ QB(».(»-0» [Equation C] 

We apply this formula for K in the range D/2 < K < D. 
Working down from K=D-1, we first take care of the single bit 
u A (D-l), then the pair D-2 and D-3, then four, etc. In 
software, we switch over to processing whole words when 
possible The largest block of birs one can handle together 
fsUBited by G/2, since bit K affects bit K - G/2, and by 
D-K, since bit K affects bit 2K-D = K - (K-D) . 
We need a "bit spread" operation to spread out the block of 
bits abc.z, while interleaving Os to get aObOc. . .Oz. This 
can be done in a small number of assembly ^W?* . _ 
instructions, and is a well-known trick, This is used to 
build the u~(2K-D) terms. 

After completing this processing, there will be an output- 
fixup variable built up from the u*K and u*(X - G/2) terms, 
andl leftover block of bits for QS. All the leftover bits 
will have exponent K < D/2. We process the even numbered 
bits in this set with equation A. When we are done, only the 
odd numbered bits less < D/2 remain, which is at most D/4 
bits If we are using hardware, this means only D/4 rows are 
needed in our table. If we are using software, we can 
interleave the odd bits and process them in groups of 8, or 
whatever size is convenient, as indicated above. 

one additional trick is available to halve the number of bits 
in a row, at a small time cost. This is most useful in 
hardware 'to further reduce table size, but it also works in 
software. When building the QS() table, we can discard the 
low bits of each row, for terms u*K with K < D/2. This 
makes each row half as long, only about D/2 bits. We use the 
table as usual, building up QS(A) from the bits in A The 
xored answer is the high-half of QS(A), with bits K > D/2, or 
field elements made from u*K with K > D/2. To recover the 



page 21 



low half of M), ^^-HSif ' JSkAqSS)"^ 
08(A) is called QSH for High Half ^ ^ subtraction 

A, getting A - Q(QfH) . to is consists entirely of low- 

is really xor) will have a QS that ine QS (A-Q(QSH)) 

half bits, u-K with *<»l 2 ' J raoaatedly; about log_2 D 
entirely by applying Equation A r f?f *° n Y shed , there won't 
steps are enough. bits and the cumulative output- 

be any left-over odd degree bits^ and low _ half bits of 
fixup from Equation A will be exactly 
QS(A) that we needed to recover. 

Th e table size with ^W^f^ 

per row. If we fix the f inl *® ^L^tes for the ON bits 
?he table as gates then we only need gates f^ ^ ^ 
of the table, which is about JO*. l«e 

individual row to have at most half °^ ditional xor bit 
complementing the row if ^ c ®*^' ted roW s are used, and 
records if an odd-number °* ^ y men ^ r £ x number of xor 
complements the output accordingly.) in e y lfi in 

gates for ^e hard-bits portion of QS "/Jj^ f ' ield case . 
Srcu^P^ »e as^ittle as log_ 2 



(D/2) 
(Case 2) 

D is odd and M is even 



One option for this ^to^^^g^-J*^ our 

Equation B: 

u-K = u-(K-G) + u-(K-D) [Equation D] 

=>n too workinq as usual from the 
We apply the Equation for all K>0, worKing a time> 

high end. in ^^^^JiSd Sement A', equal to A, 
When we are done, we have a new " * nowers of u, from u A 0 
but expressed entirely in 1 non -P°"^7 t E e W m ethods of case 1 

a: as ^s^r^r^, 

Equation E: 

u*K = u* (K+M) + u* (K+D) [Equation E] 
This time we work up, starting with K = -(D-l) and finishing 
with K = -1. 

page 22 



An alternativ^kthod for handling Case 2 is <Mlable, and 
perhaps easieWo understand. Start with the TTeld element 
A. built from terms u^K, 0<=K<D. Apply Equation D to all 
K > D/2, working from the high end (K=D-1) . This will create 
some negative powers of u, down to -(D-l)/2. Continue 
processing K's smaller than D/2, alternating between Equation 
A to eliminate even K, and Equation D to eliminate odd K. 
This will create further terms u*L with negative even 
exponents L in the range -D/2 > L > -D. All positive terms 
u A K with K>0 are eliminated. We have accumulated an output- 
fixup term from the use of Equation A. Now we use Equation A 
to process the negative exponent terms, eliminating all tne 
even exponents and leaving odd exponents K in the range 
0 >= k > -D/2. We also develop another output-fixup term 
with negative powers of u. We use equation E to convert this 
term to non-negative powers, and combine it with the first 
output-fixup term. 

We use a table method (similar to the methods above) to 
compute QS(u A K) for K odd in the range 0 >= K > -D/2; the 
hardware table would have about D/4 rows. A software method 
would probably interleave and group the bits. 

To compute the individual values of QS(u*K) with K<0, use 
Equation F: 

QS(u^K) = QS(u~(K+M)) + QS(u A (K+D)) [Equation F] 

The half -row trick from Case 1 also works here: discard the 
low half of each row, u A K with 0<=K<D/2. Compute the high 
half of the solution, QSH = HighHalf (QS(A) ) . (A is composed 
of negative odd powers of u, with exponent range 0 to 
-(D-D/2.) Convert A back to non-negative powers of u with 
Equation E. Subtract Q(QSH) from the converted A, and use 
Equation A to recover the missing half of QS(A) . 

Finally, add the various output-fixup terms to QS(A). 
(Case 3) 

D is even and M is odd. G is also odd. 

We first consider the subcase with M <= D/2, and G >= M. 
Suppose "A" is a general field element, a sum of some powers 
u A K with 0<=K<D. We eliminate as many bits as possible from 
A. Working from high K down, we eliminate bits with K>G. 
For even K, we use Equation A; for odd K we use Equation G. 

QS(u*K) = u*((K+G)/2) 

+ QS(uMK-M)) + QS(u*((K+G)/2)) [Equation G] 

As K approaches G, the odd values must be handled in small 
pieces, since (K+G)/2 is only slightly smaller than K. 

For QS(u A G), a separate table row is required. 



page 23 



For K in the irange G > K >= 
eliminate terms. 



D/2, we can use Equercion H to 



QS(u"K) = u~K + u"(K - D/2) 

+ QS(u*(2K-G)) + QS(u A (K - D/2)) [Equation H] 

When K is near G, we must use short segments of terms, to 
avoid overlap with u A (2K-G), which is only a little less than 
K, 

This removes all terms u A K with K >= D/2. Now use Equation A 
to eliminate even terms, working down from D/2. We are left 
with terms for odd K < D/2, to which we apply table methods 
from Case l. 



The other half of Case 3 is when M > D/2, and G < M. 

This is treated with the f, l/u method" discussed at the start 
of Case 2. 

The methods discussed here for computing QS mostly continue 
to work when the polynomial P(u) defining the field is not 
irreducible. An irreducible factor, P' (u) , that divides 
P(u), must be identified. Suppose its degree is D' . The 
formulas for creating the QS table entries must be adapted. 
The sum A A (4 A K) works when D' is odd, and runs for 
0 <= K < D ' / 2 . The QS matrix should be D' x 2D'; QS for u A K 
with K >= D' is computed as QS(u A K mod P'). This is 
important because many potential degrees D for finite fields 
GF[2 A D] do not have irreducible trinomials of degree D. It 
seems that most, perhaps all, have irreducible polynomials 
that divide a trinomial of slightly larger degree D*. The 
latter trinomial can be used as the working modulus for most 
field operations, with only occasional use of the true field 
polynomial with degree D. 

Another option is to use pentanomials when trinomials are 
inconvenient or unavailable. The equations can be altered 
to include the additional terms. Usually the results are 
less efficient than the trinomial situation. 

The present invention may be embodied in other specific forms 
without departing from its structures, methods, or other 
essential characteristics as broadly described herein and 
claimed hereinafter. The described embodiments are to be 
considered in all respects only as illustrative, and not 
restrictive. The scope of the invention is, therefore, 
indicated by the appended claims, rather than by the 
foregoing description. All changes which come within the 
meaning and range of equivalency of subsequent claims are to 
be embraced within their scope. 



page 24 



